Emerging cloud architectures, 5G, and Industry 4.0 are opening the door to a new generation of network-level attacks and security threats that target IP networks and the data that flows through them. Current solutions lack the scale and functionality to address the growing threat volume and complexity.
At Nokia, we embed security into every layer of our IP network infrastructure. We deliver the at-scale, fully-featured protection you need to guarantee the performance and integrity of your mission critical networks.
DDoS in 2021
Nokia Deepfield Network Intelligence Report: DDoS activity and trends in 2021
The rapidly growing number of open and insecure internet servers and IoT devices, along with access to more bandwidth than ever, creates a threat potential for DDoS attacks over 10 Tb/s to happen – attacks that can bring down whole networks or entire countries. In our report, we captured major DDoS activity and trends in 2021.
Join our live session where we explore how botnet DDoS has grown to become the dominant source of DDOS traffic, engaging millions of insecure IP endpoints and IoT devices and generating tens of thousands of attacks daily on users, services and CSP infrastructure.
Why IP networks are vulnerable
IP networks are changing faster than ever. With these changes come new network-level security threats and a broader attack surface:
- Increasing numbers of IoT and Industry 4.0 devices are being connected to the IP network, and may be vulnerable to hijacking. Once hijacked, these devices have access to wide bandwidth to launch attacks.
- Communications Service Providers (CSPs) are embracing third party transport options, open network architectures and globalization. This makes their networks increasingly porous, and the data they transport increasingly vulnerable to confidentiality and integrity breaches.
- 5G is accelerating cloudification, which enables network functions and services to run anywhere. As network functions become more distributed, the attack surface increases.
At the same time, volumetric distributed denial of service (DDoS) attacks are growing in frequency, complexity, and scale. Millions of hijacked IoT devices are used in conjunction with amplification techniques to flood the network with terabits of data and hundreds of millions of packets per second. A new generation of attacks use short, intense bursts of traffic to disrupt networks, making them hard to pinpoint and stop. Whether volumetric DDoS attacks target the CSP’s IP network or simply use it to reach another target, they always impair the CSP’s ability to maintain consistently high service quality.
Economic and political falllout is escalating
The economic and political fallout from man-in-the-middle attacks and data breaches is also escalating. Enterprises embracing digitalization are concerned about loss of revenue and reputation. Government is concerned at the growing disruption of critical infrastructure and services. CSPs are looking to secure new revenue from the digitalization of critical industries must be able to demonstrate that data flowing through their networks is impervious to theft or manipulation.
Addressing all these network-level threats is difficult for security solutions that run on top of IP networks. They lack the cost-effective scale and functionality to fully protect IP networks from the growing threat landscape.
We secure IP networks from within
To provide at-scale protection of IP networks, IP network security must be like packet forwarding – a high-performance, highly scalable capability of the IP network itself.
Nokia has pioneered this approach by embedding security into the DNA of every layer of our IP network infrastructure, providing high-performance, fully featured and at-scale protection for your mission-critical IP networks.
Adopt a self-defending IP network infrastructure
Our multi-layer embedded approach to IP network security begins at the IP silicon layer with the FP5 chipset at the heart of our 7750 SR and 7950 XRS series of routers. FP5 provides the filtering scale and performance headroom necessary to be a highly precise attack sensor and mitigation element. It provides the universal encryption (ANYsec) required to secure any service, over any transport, at any time. Both capabilities can be used at line rate – without impacting the performance of other services running on the same chipset. This ensures network performance and service quality remain high even during the most intense DDoS attacks.
At the network OS layer, our highly secure and hardened SR OS is designed and tested to block attempts at manipulation and unauthorized access. SR OS leverages highly granular queueing in FP5 to limit every control plane interaction to its fair-share slice of the control plane CPU. This stops volumetric attacks from overwhelming the control plane processor, without impacting legitimate control plane interactions.
At the tools and applications layer, our integrated, high-performance IPsec gateway (Nokia Secure Gateway) inherits the scale, resiliency, and security of the carrier-grade 7750 SR infrastructure. A single Nokia Secure Gateway can support up to 32,000 base stations and up to 960GB/s of encrypted traffic.
Our Nokia SR OS Firewall protects the integrity of the control and management planes between trusted zones.
At the application level, our Deepfield Defender provides multi-dimensional intelligence, analytics, and automation that use the network infrastructure to quickly identify and mitigate DDoS attacks.
Universal, line-rate network encryption for CSPs
CSPs can now ensure the confidentiality and integrity of all data flowing through their network with ANYsec universal network encryption. Designed specifically for CSP networks, ANYsec leverages FP5 silicon to extend the low latency and simplicity of MACsec encryption to tunnels, flows and slices engineered using MPLS, Segment Routing and IP. With FP5, network encryption becomes a universal function of the network itself.
ANYsec provides CSPs with the freedom to transform IP services into secure IP services on demand. Instead of treating encryption as an expensive, complex and limited capability that requires significant advanced planning, SPs can turn on encryption whenever and wherever it is required. This can be done natively no matter what service or network transport is being used, and without impacting the performance of any other service running on the same chipset.
Identify and mitigate attacks automatically
Using manual solutions and forensic analysis, you can’t respond quickly enough to stop attacks from causing disruption, and accuracy is sometimes compromised.
Nokia Deepfield Defender and 7750 SR and 7950 XRS series routers allow you to identify and respond to attacks automatically. Security policies are continuously monitored and tuned using telemetry from the network. With the automated workflows in Deepfield Defender, you can update tens of thousands of IP silicon filters in seconds to respond to changing security conditions without delay.
Accuracy is high. High-scale, highly granular filters can inspect IP headers or use signature matching to identify and mitigate against sophisticated attacks, without impacting router performance. Deepfield Defender adds multi-dimensional security analytics, giving you unprecedented insight into DDoS attacks of all types. This information is combined with Deepfield Secure Genome, which provides unique visibility into internet traffic, to further minimize false positives and negatives.
With Nokia, you can block attacks with greater precision before they impact service quality.
Protect everything, everywhere, all the time
Due to the prohibitive cost and limited scale of traditional DDoS solutions, CSPs have only been able to protect a few select customers or a portion of their network from DDoS attacks.
With IP security embedded within the network, you can protect your whole network and all your customers, all the time. Deepfield Defender and 7750 SR and 7950 XRS series routers shield you from all types of attacks (such as multivector, spoofing, botnet, or carpet bombing), from any origin (inbound or outbound), towards any target (not just protected targets), on any boundary (core, peering, data center, or service edge).
By stopping all customer directed attacks at the edge of your network, service quality and network performance always remain high.
It’s about protecting your brand and business: customers want a network that won’t let them down and providing one will help to reduce churn.
Related solutions and products
Virtualized Security Services
Trust software-defined security to fill critical gaps in your datacenter or cloud
Stop DDoS traffic before it impacts your customers and services
IPsec Security Gateway
Keep your customers’ IP traffic safe as it traverses unsecure networks
Learn more about IP networks and security
C-RAN fronthaul case study
7750 SR-s XMA2-s
7750 SR-1x Service Router
Advanced Security Testing and Research (ASTaR) Lab
Please complete the form below.
At-scale protection for mission-critical IP networks
Let’s discuss how our unique approach to IP network security delivers the protection you need to guarantee the performance and integrity of your mission-critical IP networks.